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The need for testing iOS apps 


US iOS App Store 
« Over 680,000 applications 
o 1,121 new apps PER DAY 
o Average iOS device: 108 apps installed 
How secure are those apps? 

Are they all protecting your privacy? 
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MATION IN 


TESTING 

• Even a technically skilled user is unlikely to have a solid understanding 
of all of the above (present company excepted) 

• Time investment is high 

• Every app requires a bespoke, manual analysis (1,121 PER DAY) 

• Currently available automation is not sufficient 

• Blacklist “AV”-type applications? 

. Can protect against actively malicious apps, but not against apps 
with unintentional security holes 
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The need for automation in 

TESTING 

. Full automation is not sufficient 

. App interfaces are unpredictable 
. Custom apps require custom testing 
. Some vulnerability types require a human 

• Machines can’t read intent (yet) 

• Authorization issues 

. Special encodings or “encryption” might not be transparent to a 
tool. A human tester might intuitively discover these issues 
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SIRA Features 


Install Applications 
Record Application Activity 
Automatically “Drive” applications 
. Single app at a time, certain apps already 
implemented. 

. Most apps require credentials before accessing 
functionality 

. “Sign Up/Sign in” before credentials are used 
. Sent/Stored in Plaintext 
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SIRA Features 


. “Drive” application (cont’d) 

p Find application controls (buttons, fields, etc.) 

and give them feasible values 
o Fuzz! 
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SIRA Features 
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Manual Analysis Support 
. Allow manual intervention at any step 
. Automatic app driving to register an account 
doesn’t work? Manually run the app while all of 
the “recording” functionality is running 
. Display all automatic findings and confidence 
levels 

. Display raw data to allow analyst to easily find 
more issues 
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Survey of applications (Cont’d) 


. For the X applications tested, we noted 
several trends 
. Session ID storage 
. Credential storage 




Towards the future 


. To the crowd! 

. Testing still takes too long 
. Let users upload their test results? 

. Allow non-technical, non-jailbroken users to view 
security and privacy “ratings” for an app before install 




Towards the fut 


. Are there any app developers who care about security? 

. How about a model where a developer can fund a 
semi-automated assessment? 

. The newly revised rating gets shown on the ratings 
site along with a special marker showing that the 
rating was manually validated? 









